1. Field of the Invention
The present invention relates generally to wiretapping electronic communications, and in particular to a computer implemented method, data processing system, and computer program product for authenticating or “notarizing” packet traces.
2. Description of the Related Art
Wiretapping is the process of monitoring telephone or electronic communications by third party, often by covert means. This process of intercepting telephone conversations and electronic communications such as faxes, email, and other data transfers provides an effective investigation tool to be used by law enforcement agencies. To implement a wiretap, law enforcement agencies typically issue a wiretap request to the central office of the telephone companies or Internet Service Providers (ISPs). Examples of wiretapping products employed by law enforcement agencies to intercept electronic communications include Carnivore, which was developed by the U.S. Federal Bureau of Investigation, and Cyveillance, a commercial product. The Carnivore system is deployed at the ISP of the person for whom the law enforcement officials have wiretap authorization to snoop and store their communication traces. Both Cyveillance and Carnivore operate essentially as packet sniffers, which are programs that can “see” all of the information passing over a network to which it is connected. The program looks at, or “sniffs”, each packet as the data streams over the network. The wiretap devices look for packets or communication sessions with particular packet attributes and if found, save the sessions to disk or tape for later viewing and use in court proceedings. However, if the chain of custody of generated computer records such as these stored sessions cannot be proven, a court may consider such records as hearsay, and special arguments must be made to be able to introduce the records as evidence in court.
Existing methods in the current art for storing information related to a wiretap include hashing audit log records, using a hardware device to store the message digests of audit log records, integrating message digests into particular applications such as chat clients, and using a hardware device to store the message digests of a chat log. However, all of these existing methods typically store the wiretap information within a log and then perform a hash of the entire log. A hash function substitutes or transposes the data to create a digital “fingerprint”, or a hash value. A typical hash function comprises a short string of letters and numbers (binary data written in hexadecimal notation). When another hash value of the log is taken at a later time, the two hash values are compared. If the hash values match, the log is determined to be authentic. However, there may still be some question as to the authenticity of the data in a court of law since the computer data may potentially be altered prior to the initial hash of the complete log. There is currently no way to ensure that the data has not been altered or touched by someone in some way since the time it was collected.